Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to monitor a multi line log with a variable number of field value pairs?

arrowecssupport
Communicator
‎02-06-2017 07:59 AM

We monitor the log output of many file storage systems, some devices have only a few, others have hundreds, but there is no way of knowing how many disks each log file will contain.
The issue (in the real world) is that the customer has 2 non compatible drives; the 750gb HDD part code HRF750.
We want to be able to extract on the full line 750gb HDD partnumber: HRF750 s/n: 31564847877 from the log where ever we find the part code HRF750. We can then put this in a table or report, allowing us to find systems running on compatible hardware.

How do I go about doing this?

Below is an example of what a log file looks like. 

Array model: RX-100
250gb SSD partnumber: XFA250 s/n: 12313123123
250gb SSD partnumber: XFA250 s/n: 56498787521
250gb SSD partnumber: XFA250 s/n: 95195195198
250gb SSD partnumber: XFA250 s/n: 51515151511
250gb SSD partnumber: XFA250 s/n: 95959595959
750gb HDD partnumber: HRF750 s/n: 31564847877
750gb HDD partnumber: HRF750 s/n: 89765432145
0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎03-12-2017 02:34 PM

@arrowecssupport - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-02-2017 02:12 PM

Maybe this:

... | rex "^Array model\s*:\s*(?<arraymodel>[^\r\n\s]+)"
| rex max_match=0 "(?ms)(?<diskdetail>[^\r\n]+)"
| mvexpand diskdetail
| rex field=diskdetail "^(?<size>\S+)[^:]+:\s+(?<partnumber>\S+)[^:]+:\s+(?<serialnumber>.*)$"
| fields - diskdetail

Now you can add whatever logic that you would like to find mismatches.

0 Karma
Reply

gvmorley
Contributor
‎02-10-2017 01:32 AM

Hi,

It would be good to know if you're indexing these logs line by line, or as one long event?

Assuming that you've just pulled them in as one event (since you mention multi-line in the title), you can still use the rex command to extract the info you want.

What might be tripping you up is that by default rex only returns the first match. But if you set it to max_match=0 then it will do multiple matches.

So maybe something like this:

| rex max_match=0 "(?m)partnumber:\s(?<part_serial>[^\s]+\ss/n:\s[\w\d]+)"
| rex "Array\smodel:\s(?<array_model>[\w\d-]+)"
| mvexpand part_serial
| table array_model part_serial
| where match(part_serial,"HRF750")

This would return a table which looks like:

alt text

That will hopefully get you started. If the logs have something like the customer or system name in them, you could include that too.

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...